This disclosure relates in general to packet filtering and, but not by way of limitation, to systems and methods for denial of service (DoS) and distributed DoS (DDoS) attack mitigations.
Operating systems running on computers connected to the Internet provide some communication services known as a protocol stack, typically a TCP/IP stack. The purpose of this protocol stack is to permit local applications to communicate with remote applications over a medium (for example, a web browser communicating with a web server over Ethernet). The protocol stack splits outgoing data streams into packets delivered to the medium, and assembles incoming packets into data streams to be delivered to the application. A stream of related packets is generally known as a “session.” The task of identifying what session a packet belongs to, and what application it needs to be delivered to is generally very expensive, and implicates many controls for validity, protocols compliance and timing, and many memory lookups to find a relevant session among a collection of existing sessions that can grow very large.
Some ill-intentioned entities are exploiting the high cost of managing a large session table and only allowing valid packets in DoS and DDoS attacks. Many zombie agents can be used together in a concerted attack. A DDoS attack sends many random or fixed packets from one or multiple sources, sometimes pretending to be another source (“spoofing”), to maximize the cost of analyzing these packets on the target system. When the packet rate reaches the system's limit, it can no longer deliver its purposed service to regular users. These attacks are used for blackmail, for retaliation, to attract blocked customers to another service, or sometimes merely for entertainment and to cause havoc.
Some DDoS attacks tend to work better than others because of the extra cost associated with packet processing. Most commonly, TCP SYN packets are used (“SYN flood attacks”) as they require either some storage (session creation), or some cryptographic computation (SYN cookies). These common attacks generally can be efficiently dealt with using dedicated hardware to generate SYN cookies. Therefore, other forms of attacks exist—such as ACK floods, RST floods—which pretend to be part of existing sessions, generally rendering the stateless dedicate hardware helpless. Another form of attack usually consists of filling the physical link with useless packets that will generally be dropped (e.g., ICMP flood). Still another attack targets connectionless services, such as DNS, using UDP packets. All of the DDoS attacks above are expensive for the host computer to process and generally render it totally unresponsive to normal requests.
DDoS attacks come in many other varieties and are constantly evolving as the technology to defeat them improves. DoS attack methods include IP spoofing, bandwidth consumption attacks (such as smurf attacks and fraggle attacks) and resource starvation attacks (such as the SYN floods mentioned above). One example of technology designed to defeat DDoS attacks is a traditional firewall that matches packets to a session prior to allowing them to pass while operating in Level 5 of the Open Systems Interconnection (OSI) model. The amount of processing required to implement a firewall leaves it susceptible to DDoS attack as the processing power available is quickly exhausted when using a commodity or software-based firewall. A sufficiently powerful firewall can defeat a DDoS attack, but these solutions are very expensive in both cost and processing power.
The software stack on the server does a good job at filtering out nefarious packets, but it is easily overwhelmed. The protocol stack is an implementation of a computer networking protocol suite. Without a firewall, the software stack is particularly vulnerable to DDoS attacks. One example of a protocol stack is TCP/IP, which operates in Level 3-5 of the OSI model. Other examples of protocol stacks implement the computer networking protocol suite for HTTP, Ethernet, etc.